Refinement Calculus of Reactive Systems

RCRS (the Refinement Calculus of Reactive Systems)
is a compositional reasoning framework:

RCRS can model open (input-output), non-deterministic, and non-input-receptive systems.
Non-deterministic means for a given input, many outputs may be possible. Non-input-receptive means some inputs may be declared as illegal.

Components can be specified as symbolic transition systems
or as temporal logic (LTL) formulas.

Components can be composed using three primitive operators:
serial, parallel, and feedback composition.

A Formal Analyzer, implemented on top of Isabelle, which
allows to perform compatibility checks on a model, to flatten and
simplify a hierarchical model into a single monolithic
symbolic transition system without internal variables ("wires"),
and to generate simulation code.

The simulink2isabelle Translator, which translates
Simulink models
into RCRS Isabelle theories that can be processed by the Formal Analyzer.
We support a decent subset of Simulink's basic blocks, including
continuous-time blocks like Integrators.